Nuxt2 Security advisories

[pi0]

While we are working on Nuxt 3 stable release, Nuxt 2 has to keep some dependencies in their older versions to avoid breaking changes. These include webpack@4, postcss@7 and core-js@2. (Update: You can now migrate to nuxt bridge: https://nuxt.com/docs/bridge/overview)

As a result, some sub-dependencies are being obsolete, and eventually, some vulnerabilities are being discovered in them. This doesn't always mean Nuxt is vulnerable since most of them are applicable when untrusted user input is involved while these sub-dependencies in Nuxt are used in the build step and during development only.

You have to take care of these security issues immediately:

ID	Related Package	Status	Description
GitHub issue	@nuxt/webpack > cssnano > cssnano-preset-default > postcss-svgo > svgo	⚠️ Urgent	Use resolution to prevent installing malicious version
GHSA-pjwm-rvh2-c87w	@nuxt/utils > ua-parser-js	⚠️ Attention	Update lock file and local cache
vuejs/vue-router#3652	vue-router	⚠️ Minor	Update the lockfile to use vue-routeer>=3.5.3

This is an informative listing of current safe-to-ignore (false positive) vulnerabilities :

ID	Related Package	Status
GHSA-4jqc-8m5r-9rpr	webpack >> set-value	🔰 Not affecting
GHSA-rp65-9cf3-cjxr	webpack >> nth-check	🔰 Not affecting

These issues have been solved in the dependency tree. It is advised to renew the lock file (package-lock.json and yarn. lock) to get the fixes.

ID	Related Package	Status	Description
SNYK-JS-UAPARSERJS-1766952
2021-23368	postcss@7	✅ Fixed	Is only vulnerable for online tools like codepen that directly compile user css (patch notes)
2021-27290	ssri@6.0.2	✅ Fixed	Is only vulnerable to DoS attack if webpack is compiling untrusted code
2021-33502	normalize-url@<4.5.1, <5.3.1, <6.0.1	✅ Fixed	Is only vulnerable to DoS attack if webpack is compiling untrusted code
2021-33587	css-what@<5.0.1	✅ Fixed	Is only vulnerable to DoS attack if @nuxt/generator is processing untrusted code
2021-33502	normalize-url<4.5.1, 5.3.1, 6.0.1	✅ Fixed	Is only vulnerable to DoS attack if extract-css-chunks-webpack-plugin is compiling untrusted css code
2020-28469	glob-parent<5.1.2	✅ Fixed	Is only vulnerable to DoS attack when in an untrusted development environment

Notes:

• If you are directly using the above dependencies in production or in a solution other than nuxt, they should be considered
• We regularly update lock-file and check advisories using automated GithubActions
• If you found a security issue nuxt sub-dependency which is not mentioned above, please let us know via security [at] nuxtjs.org
• Generally, you should consider security advisories unless mentioned here as safe, if used in a build-only step or you are sure about its safety

[metasean]

I understand that for most projects these are false positives, but all those false positives are still causing a lot of vulnerability warnings (currently the 145 shown below) that we need to weed through in an attempt to identify if there are any actual security issues.

There's got to be a better way to handle this.

[metasean]

@danielroe - I know how to add expandable details to github issues (it's a pretty great feature), so if I had wanted my last three comments to have the vulnerability warnings collapsed I would have done so. Normally, with that much text to wade through, I would absolutely have made them expandable.

Which brings us to why I didn't collapse them when I made my previous responses and why I've reverted your edits to collapse them.

100% of my last three comments are about the problems that simply having these vulnerability warnings in our audits —vulnerability warnings which we cannot collapse in our audits— can cause, even if these warning are just false positives. The problem my comments are addressing are precisely because there are so many warnings to wade through.

While, for many NuxtJS projects, the intent of the warnings are moot (because they're false positives), because this transitive dependency is used so extensively throughout NuxtJS, the decision to not identify a fix that will actually resolve the resulting warnings is itself overwhelmingly problematic.

Thus, I very intentionally gathered, formatted, and included, in an equally intentionally, uncollapsed format, that overwhelming list of vulnerability warnings so as to highlight just how overwhelmingly problematic the list of vulnerability warnings is.

[edited to add]
If a plan is identified which will result in these warnings being removed from our audit outputs, then I'll be very happy (ecstatic even) to collapse the warnings listed in the previous 3 comments!

[danielroe]

@metasean I understand you're frustrated. This is something we all experience at the moment when running npm audit so you're not alone. However, its output is not within the control of Nuxt, and in fact there are tools to address the issues you are reporting, such as better-npm-audit. Specifying package dependencies explicitly is best practice - and, in fact, required for pnp support. (You might also consider using https://github.com/nuxt/postcss8 + a yarn resolution to ensure that only PostCSS 8 will be installed.)

As it happens, we do plan to upgrade Nuxt to PostCSS 8 as soon as practicable, though as it is a breaking change it needs to be done carefully and with forethought. You can follow #8087 for updates.

Finally, I've minimised your comments again to ensure this issue remains readable and useful for others. Making your point in the way you did is not kind or considerate, though I trust that was not your intention.

[moleCuleFFF]

@danielroe Can we get this updated with the error regarding css-what please.

#9404

[yu1222]

@pi0
Regarding the security issue, is the change included in version 2.15.7?
I can't find the change(release note) in the code. 🙇
https://github.com/nuxt/nuxt.js/releases/tag/v2.15.7

Security advisory
Please upgrade to nuxt@^2.15.7 if using nuxt@2.15.5 or nuxt@2.15.6

[pi0]

@yu1222 Yes, it is in 2.5.7. It is related to #9431.

[simonbrent]

I also see security issues for

• glob-parent (moderate: https://www.npmjs.com/advisories/1751) nuxt > @nuxt/webpack > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent
• trim-newlines (high https://www.npmjs.com/advisories/1753) node-sass > meow > trim-newlines

While trim-newlines is not a dependency of nuxt, nuxt doesn't work with sass-loader > v10, which requires node-sass v5 (the dependency is updated in node-sass v6)

Is it worth mentioning either/both of these at the top?

[amdp]

Is there a more narrow expected time range for the Nuxt3 release?

[caioferrarezi]

Sorry if it may be repetitive, but I'm also facing this security issue with glob-parent as mentioned above. Is it safe to ignore the package as it is with the listed ones?

[danielroe]

@caioferrarezi Yes.

[honeyamin]

should i use "scripts": {
"preinstall": "npx npm-force-resolutions"
} in package and also "resolutions": {
"dependencies": version
} befor run npm i?

[danielroe]

Please see veged/coa#99 and immediately use a resolution to prevent installing malicious code.

[iamarpitpatidar]

@pi0 glob-parent hasn't been fixed please edit the above comment.
@nuxt/types@2.15.8 still uses glob-parent@3.1.0

here is the output npm list glob-parent

+-- @nuxt/types@2.15.8
| `-- sass-loader@10.1.1
|   `-- webpack@4.46.0
|     `-- watchpack@1.7.5
|       `-- watchpack-chokidar2@2.0.1
|         `-- chokidar@2.1.8
|           `-- glob-parent@3.1.0

[xta]

Related to @iamarpitpatidar's comment. I am seeing glob-parent@3.1.0 in @nuxt/webpack@2.15.8. Expecting glob-parent >= 5.1.2

npm ls glob-parent

├─┬ nuxt@2.15.8
│ ├─┬ @nuxt/cli@2.15.8
│ │ └─┬ globby@11.0.4
│ │   └─┬ fast-glob@3.2.7
│ │     └── glob-parent@5.1.2 deduped
│ └─┬ @nuxt/webpack@2.15.8
│   └─┬ webpack@4.46.0
│     └─┬ watchpack@1.7.5
│       └─┬ watchpack-chokidar2@2.0.1
│         └─┬ chokidar@2.1.8
│           └── glob-parent@3.1.0
...

[XPAULUSX]

Hello, i'm seeing vulnerabilities with the following packages which are dependencies of nuxt@2.15.8, these are shown through our Snyk dashboard.

Can anyone advise me on how best to rectify these or is it a case of waiting for Nuxt 3?

Any advice would be appreciated, thanks.

Severity High - lodash.template@4.5.0
Introduced through: nuxt@2.15.8 › @nuxt/vue-renderer@2.15.8 › vue-server-renderer@2.6.14 › lodash.template@4.5.0
Introduced through: nuxt@2.15.8 › @nuxt/server@2.15.8 › @nuxt/vue-renderer@2.15.8 › vue-server-renderer@2.6.14 › lodash.template@4.5.0
Introduced through: nuxt@2.15.8 › @nuxt/core@2.15.8 › @nuxt/server@2.15.8 › @nuxt/vue-renderer@2.15.8 › vue-server-renderer@2.6.14 › lodash.template@4.5.0

Severity High - nth-check@1.0.2
Introduced through: nuxt@2.15.8 › @nuxt/webpack@2.15.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › nth-check@1.0.2
Introduced through:nuxt@2.15.8 › @nuxt/webpack@2.15.8 › optimize-css-assets-webpack-plugin@5.0.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › nth-check@1.0.2
Introduced through: booking_journey_fe@1.0.0 › nuxt@2.15.8 › @nuxt/builder@2.15.8 › @nuxt/webpack@2.15.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › nth-check@1.0.2
Introduced through: nuxt@2.15.8 › @nuxt/builder@2.15.8 › @nuxt/webpack@2.15.8 › optimize-css-assets-webpack-plugin@5.0.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › nth-check@1.0.2

Severity High - unset-value@1.0.0
Introduced through: nuxt@2.15.8 › @nuxt/webpack@2.15.8 › webpack@4.46.0 › micromatch@3.1.10 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › unset-value@1.0.0

31 more instances for this package, but thought best to just include one example here

Severity Medium - glob-parent@3.1.0
Introduced through: nuxt@2.15.8 › @nuxt/webpack@2.15.8 › webpack@4.46.0 › watchpack@1.7.5 › watchpack-chokidar2@2.0.1 › chokidar@2.1.8 › glob-parent@3.1.0
Introduced through: nuxt@2.15.8 › @nuxt/builder@2.15.8 › @nuxt/webpack@2.15.8 › webpack@4.46.0 › watchpack@1.7.5 › watchpack-chokidar2@2.0.1 › chokidar@2.1.8 › glob-parent@3.1.0

Severity Medium - css-what@3.4.2
Introduced through: nuxt@2.15.8 › @nuxt/webpack@2.15.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › css-what@3.4.2
Introduced through: nuxt@2.15.8 › @nuxt/webpack@2.15.8 › optimize-css-assets-webpack-plugin@5.0.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › css-what@3.4.2
Introduced through: nuxt@2.15.8 › @nuxt/builder@2.15.8 › @nuxt/webpack@2.15.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › css-what@3.4.2
Introduced through: nuxt@2.15.8 › @nuxt/builder@2.15.8 › @nuxt/webpack@2.15.8 › optimize-css-assets-webpack-plugin@5.0.8 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-svgo@4.0.3 › svgo@1.3.2 › css-select@2.1.0 › css-what@3.4.2

[danielroe]

@XPAULUSX All of the dependencies you list are build-time and are not installed in your built app. This is a helpful summary of the situation.

[pi0]

lodash.template used in @nuxt/server › vue-renderer which is runtime dependency but is safe as not used by nuxt. We compile templates at buildtime :)

[stale]

Thanks for your contribution to Nuxt!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If you would like this issue to remain open:

1. Verify that you can still reproduce the issue in the latest version of nuxt-edge
2. Comment the steps to reproduce it

Issues that are labeled as pending will not be automatically marked as stale.

[n1ngu]

Bear with us, StaleBot, for this issue is pinned! Can someone add whatever label is due?

[igarcez]

are these vulnerabilities also not a problem when we need to be complient with PCI compliance standards?

[fago]

Is there any solution or workarounds to this?

lodash.template used in @nuxt/server › vue-renderer which is runtime dependency but is safe as not used by nuxt. We compile templates at buildtime :)

Even security issues are not applying really - like in this case - having vulnerable packages in production builds will trigger a red flag for security checks for corporate requirements requiring security checks on their deployed apps. Any ideas or solutions on how to achieve that with Nuxt2?

[danielroe]

@fago You can use yarn or pnpm resolutions to force a given dependency version to be resolved/installed in your project.

[fago]

I see, thanks - we'll give that a try.

[zakarialounes]

New security issue: CWE-918 Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url.

nuxt@2.15.8 requires parse-url@^6.0.0 via a transitive dependency on git-up@4.0.5
The earliest fixed version is 8.1.0.

[danielroe]

The git-up dependency is not used in production, and is used by Nuxt in development/build to parse your own repository url, which I would not regard as vulnerable usage.

[zakarialounes]

The git-up dependency is not used in production, and is used by Nuxt in development/build to parse your own repository url, which I would not regard as vulnerable usage.

Oh right! Thank for your answer @danielroe.

Is there is a simple way to check if vulnerability is used in production/dev mode (for future security issues)?
Or maybe you could specify in the first post all security issues and their vulnerability levels? Maybe that would help.

[YutaMoriJP]

@danielroe Hi, there are no security vulnerabilities in Nuxt 2.14.12 right? https://security.snyk.io/package/npm/nuxt/2.14.12

[kwolniak]

Looks like new things pops out:

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@nuxtjs/auth-next/node_modules/axios
node_modules/axios
  @nuxtjs/auth-next  *
  Depends on vulnerable versions of @nuxtjs/axios
  Depends on vulnerable versions of axios
  node_modules/@nuxtjs/auth-next
  @nuxtjs/axios  *
  Depends on vulnerable versions of axios
  node_modules/@nuxtjs/axios

myproject
+-- @nuxtjs/auth-next@5.0.0-1667386184.dfbbb54
| `-- axios@0.26.1
`-- @nuxtjs/axios@5.13.6
  `-- axios@0.21.4

[pi0]

Thanks for the heads up @kwolniak added nuxt-community/axios-module#609 to do

[pi0]

@danielroe Feel free to close this old tracker btw if most of them updated in 2.x branch!